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IN THE UNITED STATES PATENT AND TRADEMARK OFf-ICE 
In Application of : ae*e:k et al. 

Serial No.: 09/929,877 : Group Art Unit: 2151 

Filed : August 14, 2001 : Examiner: Freintz B. Jean 

l^or ! METHODS AND APPARATUS FO^l PROTECTING AGAINST 

OVERLOAD CONDITIONS ON NODES OF A DISTRIBUTED 
NETWORK 



Honorable Commissioner for Patents 
P.O- Box 1450 

Alexandriar Virginia 22313-1450 



DSCLMUITION UNDER 37 CFR 1,131 

Sir : 

We, the undersigned, Yehuda Afek^ Anat Bremler-Barr and 
Dan TouitOU, hereby declare as follows: 

1) We are the Applicants in the patent appliccition 
identified abovsy and are the inventors Of the subject matter 
described and claimed in claims 1-8, 10^ 11, 13-16, 20, 33, 35 
and 46-69 therein. 

2) we conceived our invention prior to Septeml:>er 2S/ 2000, 
in Israel, a WTO country. VJe were then diligent in 
preparation of a provisional patent application cover-ir_g the 

1 ©^^34?'!? '>^'^.^SJ?'S "J^^^-^^itts 



1 0-SEP-200Q 16=43 FROM 



TO 9037180801 



P. 02 



trS 09/929,877 

DeGlarati-on under 37 C.F.R 1.131 by Afe]<^ al. 

invention (during the period between Septemt^er 28, 2 000, and 
October 17, 2000, when t n e ^ IT o V Til 5 ional patent application (US 
60/240,899) was filed. The present patent application (US 
09/925,877) claims priority from this provisional patent 
application, 

3) As evidence of the conception of the present invention, 
we attach hereto, as Exhibits A and B, parts of a draft of the 
present patent application. These documents were prepared 
September 14, 2000, and September 18, 2000, respectively, 
(Proof of the dates of these documents, as well as other 
documents cited herein, is attached hereto as Exhibit G in the 
form of a directory listing of the archive in which the 
documents were stored- The relevant files and dates in the 
archive are noted below,) 

4) The following tables show the correspondence between 
the independent claims now pending in this application and 
Exhibits A and B, in view of this correspondence, it is clear 
that we conceived the claimed invention pricr to September 2Br 
2000. 



Claim 1 




A method of responding tO an 
overload condition at a 
network element ("victim") in 
a set of one or more potential 
victims on a network 


Exhibit A, pag© 1, paragraph 1 : 
''NetGuard system is activated 
upon receiving alerts of an 
attack. The system than focused 
on defending only the victim (S) 
of the a-^itack." 
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A, responsiveiy to an 
indication of an anomalous 
traffic condition, initiating 
diversion of traffic destined 
for the victim foy a first set 
of one or more network, 
elements external to the set 
of one or more potential 
victims to a second set of one 
or more network elements 
external to the aet of one or 
more potential vi^ctims 


Exhibit A, page 1, p&ragraph 4: 
'''At the time of th© ^tt^ck all 
traffic to the server, which is 
the victim of the attack^ is 
navigated to the NstGuard. This 
is done foy routing any traffic 
using the viatim public address 
to NerGuards , Hence achieving 
our first goal, thaz. traffic 
to the victim, from outside the 
network, and inside the 
network^ is redirected to 
NetGuards , " 


B. the element (s) of the 
second set filtering traffic 
diverted in step A ("diverted 
traffic") and selectively 
pasjSing a poirtion thereof to 
the victim. 


Exhibit A, page 1^ last 
paragraph; '"The NetGuards 
i^achine, discriminates between 
liraffic to the victim that is 
part of the attack, and genuine 
traffic. The traffic of the 
attack would he i^locked at 
NetGuards, Genuine traffic 
would be routed from the 
NetGuards to the victim, using 
the victim private address 



Claim 4 6 


Exhibits 


A network element for use 
in protecting against an 
overload condition on a 
network 


Exhibit A, page 1, paragraph 1:^ 
"NetGuard system is activated 
upon receiving alerts of an 
attack. The system than focused on 
defending only the viGtim(s) of 
the attack." 



3 



10-SEP-200S 1 6 : 43 FROM 



TO 9037180801 



P. 04 



US 09/929,377 

Declaration under 37 C.F*R t.l3X by Af^k et al . 



an input for receiving 
traffic ciiverted from the 
network/ the traffic 
comprising flows of data 
packets having respective 
sonrce addresses 


Exhibit page 1, paragraph 4: 
''At the time of the attack all 
traffic to the server, which is 
the victim of the attack, is 
navigated to the KfetGuard. This is 
done by routing any traffic u^iing 
the vlatlfti puJollo ac?<^re^5 to 
NetGuards 

Exhibit B, section 1.1: ''''It is 
coirimon (e.g., in the Cisco 
convention) to define a network 
flow by the following parameters: 
i. Source IP address../'' 


a statistics module that 
is arrange*:;! to perform a 
statistical analysis of 
the diverted traffic so as 
to detect an anomalous 
patte^^n of a flow 
associated with at least 
one of the source 
addresses 


Exhibit E, section 1.3.2: ''Attack 
Analysis: Will be conducted during 
attack time and will be 
responsible to compare the 
historically collected statistical 
data with the current traffic 
volume and generate rules for 
traffic blockage. The output of 
thi$ unit, in general, v/ill 
consist of a list of items for- 
each of which three parameters 
will be provided: 
a- Network flow, identified by a 
combination cf source IP address 
(can be prefixed) ^ destination IP 
addreaa, destination port number, 
protocol type„." 
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a filter^ which is 
operative, responsively to 
detection of the anomalous 
pattern, to block cit least 
a portion of the data 
packiets having the at 
lesst one of the sou?;ce 
addresses 


Exhibit B; section 1,3, last 
paragraph: ''The analysis will be 
ba^ed on the statistical 
parameters of the data and will 
aim at keeping the attacked 
destination at normal loads by 
blocking the most ^suspected'' 
traffic streams . " 


an output coupled to the 
input for selectively 
passing on to further 
elements in the network 
traffic not blocked by the 
filter 


Exhibit A, page 1, 3.ast paragiraph; 
^'The NetGuards machine, 
discriminates between traffic to 
the victim that is part of the 
attack, and genuine traffic, the 
traffic of the attack would be 
blocked at NetGuards. Genuine 
traffic would be routed from the 
NetGuards to the victim, using the 
victim p^riir^t^ address 



Claim 46 


Exhibits 


A system for use in 
protecting against an 
Overload condition on a 
network 


Exhibit A, page 1, paragraph 1; 
'"NetGuard system is activated 
Upon receiving alerts of an 
attack. The system than focused 
on defending only the victim (s) 
of the attack-'' 


one or more network 
elements ( "guards" ) 
disposed on the network 


Exhibit A, page 1, paragraph 4: 
'^At the time of the attack all 
traffic to the server, which is 
the victim of the attack, is 
navigated to the NetGuard." 
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an input for receiving 
traffic from the network 


Exhibit A, page 1, paragraph 4: 
"This is done by routing any 
traffic using the victim public 
address to NetGuards . 


a filter coupled to the 
input, the filter 
selectively blockinc 
traffic originating from a 
source suspected as 
potentially causing the 
ovei^ioad condition 


Exhibit B, section 1.3, last 
paragraph: "Th^ analysis — will 
aim at kee£:;ing the attacked 
destination at normal loads by 
blocking the most ''suspected' 
traffic streams," 


a statistics rtiodule that is 
coupled to tTi<5 filteisr and 
that identifies the traffic 
statistically indicative of 
having originated from the 
source suspected as 
potentially causing the 
overload condition 


Exhibit B, section 1.3.2j 
"A-btack Analysis; Will be 
Conducted during attack time and 
will be responsible to compare 
the historically collected 
statistical data with the current 
traffic volume and generate rules 
for traffic blockage. The output 
of this unit, in general, will 
consist of a list of items for 
each of which three parameters 
will be provided: 

a. Network flow, identified by a 
combination of source IP address 
(can be prefixed) , destination IP 
address / destination port number, 
protocol type„/' 
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an output coupled to the 
input for selectively 
pa35ing on to further 
elements in the network 
traffic not blocked by the 
filter 


EKhifoit A, page 1^ last 
paragraph: ''The NetGuards 
machine, discriminates between 
traffic to the victim that is 
part of the attack, and genuine 
traffic. The traffic of the 
attack would be blocked at 
WetGuards « GfSnuin© traffic would 
be routed from the NetGuards to 
the victim, using the victim 
pri vate address - " 


one or more further network 
elements ( "diverters " ) 
disposed on the network and 
in communication with the 
guards, the further network 
elements selectively 
initiating-, respongiv^sly to 
detection of an anomalous 
traffic condition, 
diversion to at least one 
of the guards traffic 
otherwise destined for a 
still further network 
element ("victim") in a set 
of one or more potential 
victims on the network 


Exhibit A, page 1, "routers" 
shown in the figure diverting ^ 
traffic to "NetGuards , " as stated 
in paragraph 4 on page 1 : ^'At 
the time of the attack all 
traffic to the server, which is 
the victim of the attack, is 
neavig^ited tO the NetGuard- This 
is done by routing any traffic 
using the victim public address 
to NetGuards . Hence achieving 
our first goal, that traffic to 
the victim, from outside the 
network, and inside the network, 
is redirected to NetGuards . " 
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Claim 56 


Exhibits 


A methoci of rresponc^ii^g to 

overload condition &t & 
network element ("victim") 
in a set of one or more 
potential victims on ei 
network 


Exhibit A, page 1, paragraph 1: 
^'N^tGuard aystetn is activated 
upon receiving alerts of an 
attack. The systen than focused 
on defending only the victiTn{s> 
of the attack." 


diverting to a guard 
machine traffic destined 
for the victim, the traffic 

pnnTDT" i =^ 1 TifT "F 1 r\vj^ rrF H;n1~ j=i 

l^j- *wJi I \.l~J ±1 .1. •J J. 1 1^ rl« tl» Vi* W O *iJ Ix \AC], 1^ cx 

packets having respective 
source addresses 


Exhibit hf page 1, paragraph 4; 
"At the time of the attack all 
traffic to the server, which is 

navigated to the WetGuard. This 
is done by routing any traffic 
using the victim public address 
to lsretG\:ards." 

Exhibit section 1-1: "It i$ 

common (e*g», in the Cisco 

convention) to define a network 

flow by the following parameters; 

ii. Source 
address../' 
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performing a statistical 
analysis of the diverted 
traffic at the guard 
machine 30 as to detect an 
anomalous pattern of a flow 
associated with at least 
one of the source addresses 


Exhibit B, section 1*3*2: 
''Attack Analyais ; will be 
conducted during attack time and 
will l^e responsible to compare 
the historically collocted 
statistical data with the current 
traffic volume and generate rules 
for traffic blockage. The output 
of this unit, in general, will 
consist of a list of items for 
each of which three parameters 
will be provided: 

a. Network £low, identified by a 
combination of source IF address 
(can be prefixed), destination IP 
address destination port number, 
protocol type,,. " 


a filter^ which is 
operative, respon$iveiy to 
detection of the emomalou^ 
pattern, to block at least 
a portion of the data 
packets having the at least 
one of the source addresses 


Exhibit B, soction 1.3, last 
paragraph: ''The analysis will be 
based on the statistical 
parameter^ of the data and will 
aim at keeping the attaCktSd 
destination at normal loads by 
blocking the most 'suspected' 
traffic streams . 
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responsively to detecting 


Exhibit A, page 1, last 




paragrapn. ine JMentjuaras 


preventing at least a 


rftachine, discriminates between 


portioii of the data pcickets 


traffic to the victim that ia 


having the at least one of 


part of the attack^ and genuine! 


the sourcts addresses from 


traffic. The rraffic of the 


reaching the victim while 


attack would be blocked at 


passing to the victim at 


NetGuards , Genuine traffic would 


l©ast some of the data 


be routed from the NetGuards to 


packets from other source 


the victim, using the victim 


addresses 


private addre^^."" 



Claim €6 




A method of responding 
to an overload condition 
at a network element 
("victim") in a set of 
one or more potential 
victims on a network 


Exhibit page l, paragraph i: 
^•'NetGuard system is activated upon 
receiving alerts of an attack. The 
syst^Tvi than foc\:ised on defending 
only the victim (s) of the attack.'" 


coupling the victim to 
r^ceiive traffic from the 
network via a first port 
of a network switch 


Exhibit A, page 1; In the figure, 
the victim is coupled to receive 
traffic via One output of a router. 
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actuating the network 
switch to divert the 
traffic desrxned for the 
victim to a second port 
to which a guard machine 
is co-upled 


Exhibit A, page 1, paragraph 4; "At 
the time of the attack all traffic 
to the server which is the victim 
of the attack, i.^ navigated to the 
NetGuard. This is done by routing 
any traffic using the irictlm public 
address to NetGuards*" The figure 
shows that the NetGuard is coupled 
to a different port of the router 
fr-om the victim. 


filtering the diverted 
traffic using the guard 
raaohine- 


ExhiJ^it A, page l, last paragraph: 
"The NetGuard^ rr:aChirtfer 
discriminates between traffic to the 
victim that is part of the attack^ 
and genuine traffic The traffic of 
the attack would be blocked at 
NetGuards . 


seiectiveiy passing at 
ieajst a portion of the 
filtered traffic from 
the guard machine to the 

vict iiTt 


Exhibit A/ page 1, last paragraph: 
"'The traffic Of the attack would be 
blocked at NetGuards. Genuine 
traffic would be routed from the 
NetGuards to the victim., using the 
victim private address*" 



5) During the period between September 28 and October 17, 
we worked continuously and diligently to revise and supplement 
the material in the original drafts in order to complete th© 
provisional patent application that was subsequently filed. 
Some of the draf":. documents that we prepared during this 
period are attached hereto as Exhibits D, E and F. These 
documtSints were completed, respectively, on September 29, 
October 2f October 9, and October 15, 20D0. We then 

11 



10-SEP-2008 16 : 45 FROM 



TO 9037180301 



P. 12 



US 09/929,877 

Doclaration under 37 c,P-R 1.131 by Afefc efc al , 

completed and filed' our piroviaional patent application on 
October 17, 2000. 

6) Exhibit G is a directory listing of the archive from 
which Exhibits A-F were tciken. the teble below lists the file 
names and dares as they appear in Exhibit G: 



Exhibit 


File Name 


Date 


A 


t<fetx5in,doc 


September 14/ 2000 


B 


Statistical-patents .doc 


September IS, 2 000 


C 


Copy of net XX, doc 


September 29, 2 000 


D 


Attack Identification ^doo 


October 2, 2000 


E 


Statistical-patent-hanoch5 


October B, 200C 


F 


lyiordi -ppt 


October 13, 2000 
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We hereby declare that ail $tat^me^r.'i:$ macSe herein of our 
own knowledge are trrue and that ail statements xnade on 
information and belief are believed to be true; and further 
that these statements were rr.ade with the knowledge that 
willful .falsi* statements and the like go made are punishable 
by fine or imprisonment, or both^ under Section 1001 of Title 
18 of the United States Code and that such willful false 
statements may jeopardize the \/alidity of the application of 
any patent issued thereon. 



Yehuda Afek 
Citizen of Israel 
26 Hacarmel Street 
Hod Hasharori 
I srael 



Date 




Dan Touitou 
Citizen of Xsrael 
21 Gciani Street 
Ramat Gan 52224 

Israel 

Date: ^ / )0 | O? 




Anat Bremler-Barr 
Citizen of Israel 
17 Hashomron Street 
Ramat Hasharon 
Israel 

Date: 
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